December 15 2021

8:15 AM – 8:50 AM (PST) Meet Your Fellow Leaders, Get Acquainted With New Platform

Keynote Room

8:50 AM – 9:00 AM (PST) Welcome address, Richard Greenberg

9:00 AM – 9:50 AM (PST) Opening Keynote, Winn Schwartau:
Defending Security is Probabilistic, Not Deterministic: Get Over It

9:50 AM – 10:10 AM (PST) Break, Visit Sponsors

Room: Vulcan

10:10 AM -11:00 AM (PST) Bob Gourley, “The Metaverse: Infinite Attack Surface and Boundless Risk

11:05 AM -11:55 AM (PST) Robert Wood,
Doing Third Party Risk Management That Does More Than Waste Time

Room: Klingon

10:10 AM -11:00 AM (PST) Micki Boland, “Down the Rabbit Hole – A Tour into the Dark Web

11:05 AM -11:55 AM (PST) Diana Kelly,
Understanding Failure Modes in AI and ML
11:55 AM– 12:25 PM (PST) Break, Visit Sponsors

Room: Klingon

12:25 PM – 1:15 PM (PST) Caroline Wong
Security Metrics Insights

1:20 PM – 2:10 PM (PST) Matt Devost,
Lessons Learned from 25 Years of Red Teaming

2:10 PM – 2:30 PM (PST) Break, Visit Sponsors

Room: Vulcan

2:30 PM – 3:20 PM (PST) Panel: Moderator John Johnson
Building Resiliency in Cybersecurity

Room: Klingon

4:15 PM – 4:35 PM (PST) Break, Visit Sponsors

Keynote Room

4:35 PM – 5:25 PM (PST) Closing Keynote,Wendy Nather:
What We Owe One Another In Today’s Cybersecurity Ecosystem

5:25 PM – 5:30 PM (PST) Closing Comments

Talk Descriptions:

Opening Keynote

9:00 AM – 9:50 AM (PST)

“Defending Security is Probabilistic, Not Deterministic: Get Over It”

Winn Schwartau

Since the inception of computer/data/cyber/network security some fifty years ago, one recurring question has beset our industry: “How do we secure it?” By its very nature, this question has propagated a harmful meme, by implying that a binary deterministic answer is possible. “How can we defend against unknown vulnerabilities and hacks?” is perhaps a more realistic question.

This talk examines security through a non-deterministic lens, applying probabilistic and analogue functions to discover new approaches to defending anthro-cyber-kinetic systems against known and unknown threats.


10:10 AM – 11:00 AM (PST)

“The Metaverse: Infinite Attack Surface and Boundless Risk”

Bob Gourley

The Metaverse is coming. What is the Metaverse? A massive, infinitely scalable, shared virtual world where land, buildings, bots, avatars and other property can be bought sold and persist. Think of it as the future convergence of all of today’s virtual worlds, interconnected with a single settlement layer for totally interoperable transactions.

The Metaverse will be accessible by billions via any web browser, mobile device or virtual reality system. All indications are that the metaverse is destined to become a driving force in how humanity interacts with each other. It will influence education, healthcare, government, commerce, and entertainment.

How big will the Metaverse be? One indicator is the recent announcement by Mark Zuckerberg that he is shifting Facebook to be a Metaverse company. With all the other major players in delivering Metaverse capabilities today this will very quickly become a trillion dollar market. It will also be an incredibly enticing target for the criminal element.

The Metaverse needs the involvement of the security community in ways few are conceptualizing today. This presentation will provide security practitioners with foundational knowledge that will help accelerate the contributions of security professionals to this rapidly developing shared virtual space.


10:10 AM – 11:00 AM (PST)

Down the Rabbit Hole – A Tour into the Dark Web”

Micki Boland

Frequently, Alice in Wonderland is used as the main analogy to the Dark Web, but just like in the book, no one tells us how this magical world was made and what the motive for its creation was. If one wants to become wise on a matter and have a solid opinion on a subject, one needs to learn its historical events and evolution. In our journey through this session, we take you through the evolution, goals and motivation of the Dark Web. I will share with you what and whom you can find on the platforms as well as the major conflicts individuals face while exploring this web. The session also exposes you to the syndicates and structures running on the platforms. Surprisingly we see how those groups were among the first to embrace and implement Blockchain technology and created a major global demand for crypto currencies. This is the time to listen, learn and be exposed to the deepest secrets of the Dark Web.


11:05 AM – 11:55 AM (PST)

“Doing Third Party Risk Management That Does More Than Waste Time”

Robert Wood

Third party risk management programs are a big part of most compliance initiatives, whether it’s SOC2, ISO 27001, or FedRAMP. It’s usually called slightly different things and carried out slightly differently, but it primarily relies on some form confidence building such as questionnaires or policy reviews to determine whether a service or company has security built in. The flaw with relying solely on this approach is that you can buy a perfectly secure tool and use it in a horribly insecure way and this scenario plays out at scale and easier than ever in a world where SaaS can proliferate with nothing more than an authorize button or a free account. This talk will focus on SaaS governance and how to do third party risk management in a more holistic way, in a way that actually helps you reduce risk to your organization


11:05 AM – 11:55 AM (PST)

“Understanding Failure Modes in AI and ML”

Diana Kelly

Science fiction books and movies are full of general knowledge AI – hyper-smart, independent systems that can think for themselves and even repair themselves in a malfunction occurs. The reality is that while AI and ML can accomplish a dazzling array of sophisticated tasks, they are not sentient and unless some element of self-healing functionality is built in, they are not going to be able to fix themselves if something goes awry. Using a published framework for reference, we will explain what causes AI & ML to fail and enumerate intentional failures that can occur when a criminal or attacker tries to cause the system to malfunction. We’ll also describe unintentional failures, how these systems can falter under normal use. While a lot of attention is given to systems that are broken or manipulated on purpose, it’s very important to look at ways systems fail while being trained and under normal use. Especially in the case of AI & ML. We close with recommendations for building resilience into AI & ML.

Failure Modes Covered:

  • Perturbation & Adversarial Universal
  • Perturbation
  • Model Inversion
  • Data Bias
  • Reward Hacking
  • Distributional Shifts
  • Over/Under-fitting


12:25 AM – 1:15 PM (PST)

“Cyber Liability is on the Horizon – Who Pays When the Code and Implementation Malfunction?”

Paul Rosenzweig

Abstract: The Colonial Pipeline ransomware attack is but the latest malicious activity to demonstrate the vulnerability of security in enterprise security and Internet of Things systems. While the vulnerability has mostly been realized in unsecure legacy systems there is no reason to think that new systems coming on line will not also be at risk. Indeed, the potential adverse consequences from security flaws only becomes magnified as connectivity and autonomy grow greater in consumer goods like medical devices and cars that bear more directly on life and death activities. One need only imagine a WannaCry-like ransomware in an automobile to recognize the potentially significant scope of the issue.

Where life and death are at issue, responsibility and liability cannot be far behind. This talk will provide an introduction to the legal and product liability issues related to cybersecurity within critical infrastructure systems and the commercial Internet of Things. Though instances of liability imposition are, to date, few, developments in the insecurity of critical systems may soon give rise to product liability for allegedly inadequate security measure. This will have impacts on the insurance industry and may result in regulatory intervention if industry is not proactive in its approach. In addition to best practices for cybersecurity and standards of software development, this will also require the development of, as yet non-existent, audit and grading mechanisms to support insurance risk rating.


12:25 AM – 1:15 PM (PST)

“Security Metrics Insights”

Caroline Wong
It can be really hard to understand how things are going in cybersecurity, let alone communicate how things are going to others. How do you get the buy-in and collaboration you need for your team and your program? Caroline Wong, author of the best selling textbook Security Metrics: A Beginner’s Guide, will share her expert insights from practical learnings in the field.


1:20 PM – 2:10 PM (PST)

“The B is for Business – Driving Practical Security through the BISO”

Alyssa Miller

What’s that? You’ve never heard of a BISO? You don’t really know what they do? In this session we’ll discuss the growing trend of implementing Business Information Security Officers. While different organizations may have slightly different visions for the role, the core concept of bridging the gap between the security team and the business line remains the same. We’ll examine key areas in which this emerging role can help your program more easily win funding, gain better adoption, and achieve greater overall effectiveness. This session will show you how the alignment of a dedicate security resource within the business line builds a powerful culture of empathy.

Throughout the session, common values and practices that set your BISOs up for success will be shared. You’ll get a clear view of what facets are core to this role and how you can best tailor their alignment and responsibilities to best fit your business and security program. We’ll even discuss strategies for building a business case for developing a BISO community. By the end of the session, you’ll leave with an understanding of why your organization should really be looking at launching a BISO community of their own.


1:20 PM – 2:10 PM (PST)

“Lessons Learned From 25 Years of Red Teaming”

Matt Devost

He draws upon 25 years of red teaming against governments and corporations to identify the top lessons learned from red teaming that can make their engagements more successful. Filled with real-world stories drawn from hundreds of successful hacking operations, Matt provides the audience with an understanding of how red teaming goes applies outside the domain of technical exploitation and how these skills can be used beyond cybersecurity.


2:30 PM – 3:20 PM (PST)

“Panel: Building Resiliency in Cybersecurity”

Moderator: John Johnson, Panelists: Bryan Hurd, Richard Rushing, Caroline Wong

Abstract: Resiliency is becoming a common business requirement and is being reported to the Board. This panel of experts explores how to build resiliency into your cybersecurity program, what it means to be resilient and how to measure and report on it.


2:30 PM – 4:15 PM (PST)

The Dark Web: What it is, Defining Characteristics, and Accessing it Securely”

Joe DePlato

This session provides a deep dive into the Dark Web and its associated technologies. Attendees will gain an understanding of the infrastructure and content of multiple dark nets and learn how to leverage dark web opportunities to advance security objectives. This session will provide a technical overview as well as information about installation, configuration, and defining characteristics of each of the most popular dark nets: Tor, Open Bazaar, I2P, Freenet and ZeroNet.


3:25 PM – 4:15 PM (PST)

“Navigating the Cybersecurity Profession: Essential Elements for a Satisfying Career”

Helen Patton

Having a satisfying cybersecurity career can feel elusive, even for a seasoned cybersecurity professional.  In this session, we’ll talk about things that all security professionals, of all levels and backgrounds, need to know and do, in order to achieve professional success.  

We will cover:

  • The importance of networking, and how to leverage them to achieve your career goals
  • Continuous learning – when, how, and when is it too much?
  • Self-awareness, and why this is the basis for everything you do
  • Managing yourself vs. managing others – when to be a single contributor and when to run a team
  • Handling Security Stress – why does it happen, and what can be done about it
  • Leaving a legacy, what to do if you want to be remembered for more than the immediate job

Closing Keynote

4:35 PM – 5:25 PM (PST)

“What We Owe One Another In Today’s Cybersecurity Ecosystem”

Wendy Nather

Supply chains aren’t single chains; they’re meshes. Breaches in one entity have downstream ripple effects on other organizations. As we get better at visualizing security beyond our dissolving perimeters, we’re discovering that collaboration is more important than ever. Our responsibilities go beyond simply sharing data; we owe one another more than that if we’re going to protect ourselves.

Closing Comments

5:25 PM – 5:30 PM (PST)